Author Archive - Roland Dela Paz (Threat Researcher)

In our 2013 predictions, we noted how malware would only gradually evolve without much in the way of significant change. This can be seen in the use of some (otherwise legitimate) hacking tools in APT attacks.

How is this a problem? Hacking tools are grayware which are not always detected by anti-malware products or at least ethico-legal issues are keeping them from doing so. Unfortunately, this means less visibility in APT forensic investigations. In addition, it also saves attackers the trouble of writing their own tools. Some of the common hacking tools we see are:

Password recovery tools – tools for extracting passwords or password hashes stored by applications or the operating system in the local drive or in registry entries. These are typically used to clone or impersonate user accounts for obtaining administrator rights. Pass the hash technique is one common method for attackers to gain administrator rights via stolen password hashes.

User account clone tools – used to clone a user account once password has been obtained by the attacker. Upon acquiring enough privileges, the attacker can then execute malicious intent while bypassing the system’s security measures.

File manipulation tools – tools for manipulating files such as copying, deleting, modifying timestamps, and searching for specific files. It is used for adjusting timestamps of accessed files or for deleting components to cover tracks of compromise. It can also be used for searching key documents for extraction where the attacker can search for files with specific file extensions.

Scheduled job tools – software for disabling or creating scheduled tasks. This can help the attacker to lower the security of the infected system by disabling scheduled tasks for software updates. Likewise, it can also be used maliciously. For instance, the attackers can create a scheduled task that will allow them to automatically steal files within a certain timeframe.

FTP tools – tools that aid in FTP transactions like uploading files to a specific FTP site. Since FTP transactions would look less suspicious in the network, some APT threat actors prefer to upload stolen data to a remote FTP site instead of uploading them to the actual C&C server. It should be noted that there are several legitimate FTP applications, which may also be utilized by cybercriminals.

Data compression tools – these tools are neither malicious nor considered as hacking tools. In most cases, these are legitimate file compression tools, such as WinRAR, being utilized by attackers to compress and archive multiple stolen files. This aids the attacker in the data exfiltration phase where they can upload stolen documents as a single archive. In a few cases, however, we have seen these applications being packaged and configured to compress a predefined set of files.

Last November 12-14th, I had this great opportunity to attend AVAR 2012 Conference in Hangzhou, China. There were a lot of great presentations; I must say I feel very privileged to have presented our paper, The HeartBeat APT Campaign, along with these talks.

I will be honest with you–talking in front of renowned people and colleagues in the industry was outright nerve-racking. However, we believe it is our duty to share our findings about the HeartBeat APT to the industry. This entry aims to further fulfill the same purpose for the industry and for the general public.

The HeartBeat campaign is an isolated APT case that targets organizations within South Korea only. Based on our research, the campaign have started by at least November 2009. They target organizations that are directly or in some ways related to the South Korean government. Specifically, the HeartBeat campaign targets the following sectors:

In the discussion of targeted attacks, it is usually taken for granted that they arrived via some sort of spear-phishing attack. The discussion then goes into an analysis of the malware involved and/or the servers used or compromised in the attack.

However, to avoid attacks in the first place, it is of value to look at the spear-phishing attacks themselves. More information about these attacks would allow administrators to consider which emails could pose a security risk, and design their defenses accordingly.

With that in mind, we wrote our paper titled Spear-Phishing Email: Most Favored APT Attack Bait. In addition to looking at the attachments and file types used, we also looked at the industries/sectors that are targeted, and investigated the importance of good reconnaissance in launching targeted attacks.

Among our key findings are just who is targeted by APTs, and how attackers can find them. Just under two-thirds, or 65 percent, of APT campaigns targeted governments. Just over one-third (35 percent) targeted activists.

In addition, we found that a disturbing number of email addresses can be found online rather easily. Three-fourth of all e-mail addresses that were targets of spear phishing could be found online. This indicates that for would-be attackers, it is very easy to build up a “target list” for any spear-phishing campaigns.

In many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators. One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack. A less obvious source of information leakage, however, is the humble out-of-office notification.

Consider what the typical content of an out-of-office notification is. It will have a brief explanation of why the respondent is out of the office, who the sender can alternately contact instead, and an estimate of when they will return to the office. It may also include the user’s email signature, if he has one.

Individually, this may not be a great deal of information. However, it is easy for would-be attackers to gather multiple out-of-office notifications. Based on our research into spear-phishing (the findings of which will be released in an upcoming paper), the e-mail addresses of about half of all spear-phishing recipients can be found online using Google. In many cases, corporate e-mail addresses follow a predictable firstname_lastname@companyname.com format as well; this makes many addresses “known” so long as an employee’s name is known.

The approaching holidays gives would-be attackers a great opportunity to carry out this attack. In the United States, many workers will be on a long vacation over the Thanksgiving holiday. Later in the year, the Christmas/New Year period will see a similar opportunity – on an even larger scale.

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for such attacks.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since (at least) February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that PlugX was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear phishing emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of PlugX aimed at a South Korean Internet company and a U.S. engineering firm.